Binghamton Bank's applications and infrastructure face various risks that could impact operations and compliance. Key risks include: lack of authorization controls and encryption on applications storing sensitive customer data; infrequent testing of disaster recovery plans; reliance on external vendors for critical functions without backup protocols; and outdated servers. Recommendations focus on strengthening authentication, implementing monitoring systems, encrypting data, and more frequent testing to improve security and disaster preparedness.
The document summarizes risk analyses conducted by Aegis Consulting on the infrastructure and applications of Binghamton Bank. For infrastructure, key risks identified include dependency on external ATM vendors, lack of remote access security for online banking, and inadequate disaster recovery and outdated server security. For applications, risks analyzed include potential data leaks and hacking of a sensitive client data application and lack of security controls for the internal reporting application. Recommendations provided focus on implementing backup plans, access controls, encryption, and updates to address these risks.
The document summarizes risk analyses for the infrastructure and applications of Binghamton Bank. For infrastructure, the top risks were reliance on external vendors for ATM operations without backup plans, lack of server security measures like encryption, and outdated servers. Recommendations included establishing transitional vendors, implementing encryption and testing disaster recovery plans. For applications, risks involved weak online banking security allowing unauthorized access and data breaches. Recommendations focused on access controls, authentication, encryption and employee training.
Internal Controls and Effective Report Writing - sent to MSCPARon Steinkamp
The document discusses internal controls and effective report writing. It covers key internal control considerations like segregation of duties, expenditure controls, IT risks, and recommendations to address common control deficiencies. The presentation provides an overview of internal controls and their purpose to promote effective and efficient operations while ensuring compliance. It also outlines roles and responsibilities as well as why controls may fail and tips to improve controls.
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1Lisa Niles
This document discusses the CIS Top 20 Critical Security Controls. It begins with an introduction to the CIS controls and their goal of prioritizing an organization's security efforts to defend against common attacks. It then covers specific control #1 on maintaining an inventory of authorized and unauthorized devices on the network. The document provides guidance on procedures for implementing control #1, such as using scanning tools to identify devices and ensuring the inventory is automatically updated when new devices connect. It also lists some free and commercial tools that can be used to support control #1.
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5Lisa Niles
This document discusses CIS Top 20 Critical Security Control #5 on controlling use of administrative privileges. It provides an overview of privileged accounts and why tight control is important. It then outlines 10 specific steps to implement the control and secure privileged access. Tools and best practices are also mentioned to inventory, authorize, and monitor administrative accounts while enforcing least privilege.
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2Lisa Niles
The document discusses Control #2 of the CIS Top 20 Critical Security Controls, which focuses on having an inventory of all authorized and unauthorized software installed on systems to help organizations reduce security risks. It provides an overview of why having a software inventory is important, examples of tools that can be used to implement the control, and guidance on procedures like regularly scanning for unauthorized software.
Continous Audit and Controls with Brainwave GRCGraeme Hein
How businesses can cut costs, improve operations, and reduce risk by adopting continuous audit and internal controls. What steps to take immediately and what to look for in an automation solution.
The document discusses the changes to the banking audit environment due to the widespread adoption of information technology. It notes that while the basic tenets of audit remain the same, the role, focus, and scope of audit have changed significantly. IT has transformed how businesses operate and how value is delivered to customers. This has chemical changed the audit environment. The document outlines the banking applications used today like core banking solutions. It discusses the impact of IT on internal controls and auditing, as well as challenges faced by auditors in a computerized environment like lack of paper trails and difficulties in evidence collection. Controls in IT systems and the various information security risks banks face are also summarized.
The document summarizes risk analyses conducted by Aegis Consulting on the infrastructure and applications of Binghamton Bank. For infrastructure, key risks identified include dependency on external ATM vendors, lack of remote access security for online banking, and inadequate disaster recovery and outdated server security. For applications, risks analyzed include potential data leaks and hacking of a sensitive client data application and lack of security controls for the internal reporting application. Recommendations provided focus on implementing backup plans, access controls, encryption, and updates to address these risks.
The document summarizes risk analyses for the infrastructure and applications of Binghamton Bank. For infrastructure, the top risks were reliance on external vendors for ATM operations without backup plans, lack of server security measures like encryption, and outdated servers. Recommendations included establishing transitional vendors, implementing encryption and testing disaster recovery plans. For applications, risks involved weak online banking security allowing unauthorized access and data breaches. Recommendations focused on access controls, authentication, encryption and employee training.
Internal Controls and Effective Report Writing - sent to MSCPARon Steinkamp
The document discusses internal controls and effective report writing. It covers key internal control considerations like segregation of duties, expenditure controls, IT risks, and recommendations to address common control deficiencies. The presentation provides an overview of internal controls and their purpose to promote effective and efficient operations while ensuring compliance. It also outlines roles and responsibilities as well as why controls may fail and tips to improve controls.
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1Lisa Niles
This document discusses the CIS Top 20 Critical Security Controls. It begins with an introduction to the CIS controls and their goal of prioritizing an organization's security efforts to defend against common attacks. It then covers specific control #1 on maintaining an inventory of authorized and unauthorized devices on the network. The document provides guidance on procedures for implementing control #1, such as using scanning tools to identify devices and ensuring the inventory is automatically updated when new devices connect. It also lists some free and commercial tools that can be used to support control #1.
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5Lisa Niles
This document discusses CIS Top 20 Critical Security Control #5 on controlling use of administrative privileges. It provides an overview of privileged accounts and why tight control is important. It then outlines 10 specific steps to implement the control and secure privileged access. Tools and best practices are also mentioned to inventory, authorize, and monitor administrative accounts while enforcing least privilege.
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2Lisa Niles
The document discusses Control #2 of the CIS Top 20 Critical Security Controls, which focuses on having an inventory of all authorized and unauthorized software installed on systems to help organizations reduce security risks. It provides an overview of why having a software inventory is important, examples of tools that can be used to implement the control, and guidance on procedures like regularly scanning for unauthorized software.
Continous Audit and Controls with Brainwave GRCGraeme Hein
How businesses can cut costs, improve operations, and reduce risk by adopting continuous audit and internal controls. What steps to take immediately and what to look for in an automation solution.
The document discusses the changes to the banking audit environment due to the widespread adoption of information technology. It notes that while the basic tenets of audit remain the same, the role, focus, and scope of audit have changed significantly. IT has transformed how businesses operate and how value is delivered to customers. This has chemical changed the audit environment. The document outlines the banking applications used today like core banking solutions. It discusses the impact of IT on internal controls and auditing, as well as challenges faced by auditors in a computerized environment like lack of paper trails and difficulties in evidence collection. Controls in IT systems and the various information security risks banks face are also summarized.
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4Lisa Niles
This document discusses Continuous Vulnerability Assessment and Remediation, which is Control 4 from the CIS Top 20 Critical Security Controls. It emphasizes the importance of continuously scanning systems for vulnerabilities, prioritizing remediation of the most critical issues, and ensuring vulnerabilities are addressed in a timely manner through patching or other methods. The document provides an overview of the key aspects of Control 4 and offers suggestions for tools that can be used to implement continuous scanning and vulnerability management.
Leveraging Federal Procurement to Improve Cyber SecurityJohn Gilligan
The document discusses opportunities to leverage federal procurement processes to improve cybersecurity. It outlines three key initiatives: 1) Implementing the "20 Critical Controls" to prioritize security investments based on common attacks. 2) Requiring "locked down configurations" for all government systems and devices. 3) Adopting the Security Content Automation Protocol (SCAP) to enable automated vulnerability management, configuration management, compliance management, and asset management across government systems. The document argues that immediate action is needed to stop the ongoing bleeding of critical government systems and data from cyber attacks.
This document describes the services offered by Tymor Total Care, a managed services plan that offers 24/7 network monitoring, help desk support, on-site support, disaster prevention, and other IT services for a flat monthly fee. The services include proactive maintenance of systems and applications, a help desk ticketing system, preventative hardware maintenance, backup and data protection, vendor management, and hosted services like email and servers. It also describes the company's data center facilities, certifications, and marketing services.
Information Assurance Metrics: Practical Steps to MeasurementEnclaveSecurity
Show up to a security presentation, walk away with a specific action plan. In this presentation, James Tarala, a senior instructor with the SANS Institute, will be presenting on making specific plans for information assurance metrics in an organization. Clearly this is an industry buzzword at the moment when you listen to presentations on the 20 Critical Controls, NIST guidance, or industry banter). Security professionals have to know that their executives are discussing the idea. So exactly how do you integrate information assurance metrics into action in an organization and actually achieve value from the effort. Learn what efforts are currently underway in the industry to create consensus metrics guides and what initial steps an organization can take to start measuring the effectiveness of their security program. Small steps are better than no steps, and by the end of this presentation, students will have a start integrating metrics into their information assurance program.
Malware infiltration, spear phishing, data breaches...these are terrifying words with even more frightening implications. These threats are hitting the technology world hard and fast and can no longer be ignored.
System Security Plans are part of the required documentation for certification and accreditation package. Documenting your SSP can be a daunting task, so how can you make it easy? This overview session covers; who is responsible for the SSP, plan contents, overview of implementation detail for selected controls, flexibility of the SSP, plan maintenance issues, and what a SSP is not
Brainwave GRC - Continuous Audit and Controls at ISACA eventBrainwave GRC
Discover Eric In's presentation, as VP of Brainwave GRC in North-America, for an ISACA Montreal event on the 13th of April 2017: how Machine learning makes continuous audit and control possible.
The Governance, Risk Management, and Compliance (GRC) report by Absolute Software provides executives and IT administrators with a detailed overview of the security and health of each endpoint that is managed by the organization.
Absolute customers understand the importance of endpoint security in relation to their GRC initiatives.
The organizational risks associated with computers and mobile devices are well understood since these devices often contain sensitive data and information. They also represent an access point to networks and other company infrastructure.
Practical steps for assessing tablet & mobile device securityEnclaveSecurity
This document discusses practical steps for assessing the security of tablet and mobile devices. It begins by noting that organizations are increasingly using mobile devices but security controls have not kept pace. It then evaluates security controls like encryption, malware protection and authentication that are available or not for different mobile platforms. The document also stresses the importance of centralized management and governance policies for mobile devices. It provides resources for further learning about mobile security best practices.
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3Lisa Niles
The document discusses securing hardware and software configurations according to Critical Security Control 3. It recommends establishing standard secure configurations for operating systems and applications through hardening guides. Master images should be stored securely and configurations enforced through automated tools to prevent unauthorized changes. Free tools mentioned include CIS benchmarks and FOG for imaging, while commercial tools include Qualys for compliance assessments and Deep Freeze for image management. The overall message is that organizations must securely configure all systems according to standards and manage configurations over time through automation.
Perfect Profilers was hired by Albany Bank Corporation to assess risks within its IT applications and infrastructure. The presentation summarizes Perfect Profilers' risk assessment, which analyzed the bank's current and future state applications and infrastructure. It identified several applications as medium or high risk. The presentation recommends actions over a 12-month period to comply with regulations, enhance security, update servers, encrypt data, and back up critical systems. It demonstrates Perfect Profilers' risk profiling tool and provides a cost-benefit analysis of compliance and security improvements.
More practical insights on the 20 critical controlsEnclaveSecurity
This presentation is for both alumni of the SANS 440 / 566 courses on the 20 Critical Controls and anyone considering implementing these controls in their organizations. Since the first version of the 20 Critical Controls were released, many organizations internationally have been considering implementing these controls as guideposts and metrics for effectively stopping directed attacks. Some organizations have been doing this effectively, others have struggled. This presentation will give case studies of organizations that have implemented these controls, what they have learned from their implementations about what works and what does not work practically. Not only will the discussion focus around what organizations are doing to implement the controls, but also what vendors are doing to help automate the controls and the status of resources and projects in the industry. Students will walk away with even more tools to be effective with their implementations.
Prioritizing an audit program using the 20 critical controlsEnclaveSecurity
This document discusses prioritizing an audit program using the Consensus Audit Guidelines (CAG). It outlines how audit groups have historically focused on accounting, fraud, and compliance rather than security. It also notes challenges like a lack of accepted security audit practices and subjective risk measurements. The document introduces the 20 Critical Controls as a framework that prioritizes important controls, provides guidance on truly auditing security, and helps with audit strategy, automation, and reporting. It provides examples of technical tests that can be used to evaluate whether controls are effectively meeting their security goals.
The document outlines key areas for an ITGC audit of ERP systems, including developing and maintaining policies and procedures, installing and testing application software, managing changes, defining and managing service levels, managing third party services, ensuring system security, managing problems and incidents, managing data, and managing operations. Procedures are in place for each area to ensure systems are developed according to policies, changes are managed through formal processes, security and access controls are implemented, incidents are addressed, data is protected, backed up and operations are standardized.
We all know that Target-like breaches aren't completely preventable. But does that mean we're doomed and powerless? Not even close. A decisive response effort can dramatically reduce the impact of a breach, potentially stopping attacks in their tracks before sensitive data is lost.
This webinar will show you how. Using the Target breach as a case study, it will demonstrate how timely detection and threat intelligence integrated with incident response management could have stopped the attack cold.
Our featured speakers for this webinar will be:
- Tim Armstrong, Security Incident Response Specialist, Co3 Systems
- Colin Henderson, Principal Consultant Security Intelligence & Operations, HP, Enterprise Security Products
Because many organizations don't perform security unless they have to, more than 80% of all web applications are being exposed to vulnerabilities. In comes regulation. There are a number of different industries other than financial and healthcare that deal with PII and PHI but are either not regulated at all or are regulated very loosely. This presentation will discuss the various regulations (PCI, SOX, HIPAA, etc.) and what each does to address web application security, if any, as well as the shortcomings of each. Finally, it will further address industries that need to be more strictly regulated in order to better protect personal information.
Andrew Weidenhamer, Senior Security Consultant, SecureState
Andrew Weidenhamer, Senior Security Consultant, joined SecureState in January 2008. As a former member of the Profiling Team, Andrew performed technical security assessments on a weekly basis. These assessments included Internal and External Attack and Penetration Assessments, Wireless Penetration Assessments, Web Application Security Reviews, Physical Penetration Tests, and Social Engineering Assessments.
3 steps to gain control of cloud security SBWebinars
The cloud is a notable business advantage, but it does bring numerous security concerns. Among them:
Lack of visibility across cloud or between on-premises and cloud environments
Monitoring security controls and changes within cloud and multi-cloud environments
Maintaining compliance by monitoring cloud traffic for suspicious and non-compliant behavior
It becomes increasingly complex in hybrid environments, because now you’re managing security for on-premise, cloud, virtual, container environments, and more. The time commitment can feel staggering.
It doesn’t have to, however.
In this webinar we will show you the path to more effective cloud security in hybrid enterprises through a mix of:
Vulnerability management: See how an attacker could exploit and prioritize your patches
Continuous compliance: Define your own cloud security controls and reduce the time spent on audit prep by making your cloud continuously audit-ready
Automation and orchestration: Ingest behavior details from your cloud, then command security controls to cloud systems from a single console. The idea is instant, worry-reducing cloud control.
How Secure is your Business? Fraud Risk Analysis and Security Managementwhbrown5
The document discusses fraud risk analysis and security management. It notes some disturbing statistics about occupational fraud from a global fraud study. It then outlines how fraud is typically detected, where tips come from, and common controls used. The presentation aims to help businesses manage risks of loss from fraud and inadequate security. It covers assessing fraud risks, reviewing internal controls, and managing information technology security through regular assessments, purchasing considerations, and effective use of controls.
This document discusses managing IT risks in internet banking. It covers several topics:
1. Understanding user behaviors and expectations, such as their focus on speed, security and ease of use of internet banking services.
2. Acquiring and developing internet banking services, including following a system development life cycle and outsourcing management practices.
3. Comprehending information security and privacy risks like cyber attacks, and how to respond through human resources management practices around access controls, segregation of duties and training.
This document discusses information technology risks in banking, specifically related to internet banking. It outlines two models of internet banking - established banks providing online services and internet-only banks. While regulatory expectations are the same, internet-only banks face unique risks like high marketing costs and low margins. The document also discusses various types of IT risks including financial, operational, and compliance risks. It provides examples of risks from hacking, viruses, and unauthorized access and their potential impacts. Finally, it outlines different supervisory approaches to assessing IT risks.
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4Lisa Niles
This document discusses Continuous Vulnerability Assessment and Remediation, which is Control 4 from the CIS Top 20 Critical Security Controls. It emphasizes the importance of continuously scanning systems for vulnerabilities, prioritizing remediation of the most critical issues, and ensuring vulnerabilities are addressed in a timely manner through patching or other methods. The document provides an overview of the key aspects of Control 4 and offers suggestions for tools that can be used to implement continuous scanning and vulnerability management.
Leveraging Federal Procurement to Improve Cyber SecurityJohn Gilligan
The document discusses opportunities to leverage federal procurement processes to improve cybersecurity. It outlines three key initiatives: 1) Implementing the "20 Critical Controls" to prioritize security investments based on common attacks. 2) Requiring "locked down configurations" for all government systems and devices. 3) Adopting the Security Content Automation Protocol (SCAP) to enable automated vulnerability management, configuration management, compliance management, and asset management across government systems. The document argues that immediate action is needed to stop the ongoing bleeding of critical government systems and data from cyber attacks.
This document describes the services offered by Tymor Total Care, a managed services plan that offers 24/7 network monitoring, help desk support, on-site support, disaster prevention, and other IT services for a flat monthly fee. The services include proactive maintenance of systems and applications, a help desk ticketing system, preventative hardware maintenance, backup and data protection, vendor management, and hosted services like email and servers. It also describes the company's data center facilities, certifications, and marketing services.
Information Assurance Metrics: Practical Steps to MeasurementEnclaveSecurity
Show up to a security presentation, walk away with a specific action plan. In this presentation, James Tarala, a senior instructor with the SANS Institute, will be presenting on making specific plans for information assurance metrics in an organization. Clearly this is an industry buzzword at the moment when you listen to presentations on the 20 Critical Controls, NIST guidance, or industry banter). Security professionals have to know that their executives are discussing the idea. So exactly how do you integrate information assurance metrics into action in an organization and actually achieve value from the effort. Learn what efforts are currently underway in the industry to create consensus metrics guides and what initial steps an organization can take to start measuring the effectiveness of their security program. Small steps are better than no steps, and by the end of this presentation, students will have a start integrating metrics into their information assurance program.
Malware infiltration, spear phishing, data breaches...these are terrifying words with even more frightening implications. These threats are hitting the technology world hard and fast and can no longer be ignored.
System Security Plans are part of the required documentation for certification and accreditation package. Documenting your SSP can be a daunting task, so how can you make it easy? This overview session covers; who is responsible for the SSP, plan contents, overview of implementation detail for selected controls, flexibility of the SSP, plan maintenance issues, and what a SSP is not
Brainwave GRC - Continuous Audit and Controls at ISACA eventBrainwave GRC
Discover Eric In's presentation, as VP of Brainwave GRC in North-America, for an ISACA Montreal event on the 13th of April 2017: how Machine learning makes continuous audit and control possible.
The Governance, Risk Management, and Compliance (GRC) report by Absolute Software provides executives and IT administrators with a detailed overview of the security and health of each endpoint that is managed by the organization.
Absolute customers understand the importance of endpoint security in relation to their GRC initiatives.
The organizational risks associated with computers and mobile devices are well understood since these devices often contain sensitive data and information. They also represent an access point to networks and other company infrastructure.
Practical steps for assessing tablet & mobile device securityEnclaveSecurity
This document discusses practical steps for assessing the security of tablet and mobile devices. It begins by noting that organizations are increasingly using mobile devices but security controls have not kept pace. It then evaluates security controls like encryption, malware protection and authentication that are available or not for different mobile platforms. The document also stresses the importance of centralized management and governance policies for mobile devices. It provides resources for further learning about mobile security best practices.
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3Lisa Niles
The document discusses securing hardware and software configurations according to Critical Security Control 3. It recommends establishing standard secure configurations for operating systems and applications through hardening guides. Master images should be stored securely and configurations enforced through automated tools to prevent unauthorized changes. Free tools mentioned include CIS benchmarks and FOG for imaging, while commercial tools include Qualys for compliance assessments and Deep Freeze for image management. The overall message is that organizations must securely configure all systems according to standards and manage configurations over time through automation.
Perfect Profilers was hired by Albany Bank Corporation to assess risks within its IT applications and infrastructure. The presentation summarizes Perfect Profilers' risk assessment, which analyzed the bank's current and future state applications and infrastructure. It identified several applications as medium or high risk. The presentation recommends actions over a 12-month period to comply with regulations, enhance security, update servers, encrypt data, and back up critical systems. It demonstrates Perfect Profilers' risk profiling tool and provides a cost-benefit analysis of compliance and security improvements.
More practical insights on the 20 critical controlsEnclaveSecurity
This presentation is for both alumni of the SANS 440 / 566 courses on the 20 Critical Controls and anyone considering implementing these controls in their organizations. Since the first version of the 20 Critical Controls were released, many organizations internationally have been considering implementing these controls as guideposts and metrics for effectively stopping directed attacks. Some organizations have been doing this effectively, others have struggled. This presentation will give case studies of organizations that have implemented these controls, what they have learned from their implementations about what works and what does not work practically. Not only will the discussion focus around what organizations are doing to implement the controls, but also what vendors are doing to help automate the controls and the status of resources and projects in the industry. Students will walk away with even more tools to be effective with their implementations.
Prioritizing an audit program using the 20 critical controlsEnclaveSecurity
This document discusses prioritizing an audit program using the Consensus Audit Guidelines (CAG). It outlines how audit groups have historically focused on accounting, fraud, and compliance rather than security. It also notes challenges like a lack of accepted security audit practices and subjective risk measurements. The document introduces the 20 Critical Controls as a framework that prioritizes important controls, provides guidance on truly auditing security, and helps with audit strategy, automation, and reporting. It provides examples of technical tests that can be used to evaluate whether controls are effectively meeting their security goals.
The document outlines key areas for an ITGC audit of ERP systems, including developing and maintaining policies and procedures, installing and testing application software, managing changes, defining and managing service levels, managing third party services, ensuring system security, managing problems and incidents, managing data, and managing operations. Procedures are in place for each area to ensure systems are developed according to policies, changes are managed through formal processes, security and access controls are implemented, incidents are addressed, data is protected, backed up and operations are standardized.
We all know that Target-like breaches aren't completely preventable. But does that mean we're doomed and powerless? Not even close. A decisive response effort can dramatically reduce the impact of a breach, potentially stopping attacks in their tracks before sensitive data is lost.
This webinar will show you how. Using the Target breach as a case study, it will demonstrate how timely detection and threat intelligence integrated with incident response management could have stopped the attack cold.
Our featured speakers for this webinar will be:
- Tim Armstrong, Security Incident Response Specialist, Co3 Systems
- Colin Henderson, Principal Consultant Security Intelligence & Operations, HP, Enterprise Security Products
Because many organizations don't perform security unless they have to, more than 80% of all web applications are being exposed to vulnerabilities. In comes regulation. There are a number of different industries other than financial and healthcare that deal with PII and PHI but are either not regulated at all or are regulated very loosely. This presentation will discuss the various regulations (PCI, SOX, HIPAA, etc.) and what each does to address web application security, if any, as well as the shortcomings of each. Finally, it will further address industries that need to be more strictly regulated in order to better protect personal information.
Andrew Weidenhamer, Senior Security Consultant, SecureState
Andrew Weidenhamer, Senior Security Consultant, joined SecureState in January 2008. As a former member of the Profiling Team, Andrew performed technical security assessments on a weekly basis. These assessments included Internal and External Attack and Penetration Assessments, Wireless Penetration Assessments, Web Application Security Reviews, Physical Penetration Tests, and Social Engineering Assessments.
3 steps to gain control of cloud security SBWebinars
The cloud is a notable business advantage, but it does bring numerous security concerns. Among them:
Lack of visibility across cloud or between on-premises and cloud environments
Monitoring security controls and changes within cloud and multi-cloud environments
Maintaining compliance by monitoring cloud traffic for suspicious and non-compliant behavior
It becomes increasingly complex in hybrid environments, because now you’re managing security for on-premise, cloud, virtual, container environments, and more. The time commitment can feel staggering.
It doesn’t have to, however.
In this webinar we will show you the path to more effective cloud security in hybrid enterprises through a mix of:
Vulnerability management: See how an attacker could exploit and prioritize your patches
Continuous compliance: Define your own cloud security controls and reduce the time spent on audit prep by making your cloud continuously audit-ready
Automation and orchestration: Ingest behavior details from your cloud, then command security controls to cloud systems from a single console. The idea is instant, worry-reducing cloud control.
How Secure is your Business? Fraud Risk Analysis and Security Managementwhbrown5
The document discusses fraud risk analysis and security management. It notes some disturbing statistics about occupational fraud from a global fraud study. It then outlines how fraud is typically detected, where tips come from, and common controls used. The presentation aims to help businesses manage risks of loss from fraud and inadequate security. It covers assessing fraud risks, reviewing internal controls, and managing information technology security through regular assessments, purchasing considerations, and effective use of controls.
This document discusses managing IT risks in internet banking. It covers several topics:
1. Understanding user behaviors and expectations, such as their focus on speed, security and ease of use of internet banking services.
2. Acquiring and developing internet banking services, including following a system development life cycle and outsourcing management practices.
3. Comprehending information security and privacy risks like cyber attacks, and how to respond through human resources management practices around access controls, segregation of duties and training.
This document discusses information technology risks in banking, specifically related to internet banking. It outlines two models of internet banking - established banks providing online services and internet-only banks. While regulatory expectations are the same, internet-only banks face unique risks like high marketing costs and low margins. The document also discusses various types of IT risks including financial, operational, and compliance risks. It provides examples of risks from hacking, viruses, and unauthorized access and their potential impacts. Finally, it outlines different supervisory approaches to assessing IT risks.
Perfect Profilers was hired by Albany Bank Corporation to analyze its IT environment and infrastructure. The presentation analyzed the bank's current and future state applications and infrastructure, identifying various risks. It provided recommendations to mitigate risks, including complying with industry standards, enhancing security controls, updating servers and applications, and encrypting sensitive systems. The presentation demonstrated Perfect Profilers' risk profiling tool, which evaluates applications' inherent and residual risks. It proposed a 12-month program to prioritize improvements and compliance.
CGI's Steve Starace, SVP & BU Leader, U.S. Northeast explains how CGI’s solutions and services are addressing clients’ top priorities in the banking industry.
The Case for a Turnkey Approach to Fraud OperationsLaurent Pacalin
The document discusses the benefits of a turnkey approach to fraud operations managed by Guardian Analytics. It outlines their managed services model which includes leveraging people, infrastructure, processes, and technology. Case studies demonstrate how their services have helped clients reduce fraudulent transactions by 90%, lower callbacks by 80%, and realize quicker time to value. The presentation emphasizes the importance of infrastructure, advanced technology, holistic processes, and knowledgeable people in delivering an efficient and effective fraud management program.
The document discusses various aspects of information system auditing processes including:
1) Audit planning which involves understanding business processes, risks, and controls to develop an audit plan and charter.
2) Types of audits that can be performed on different systems like e-commerce, EDI, POS, banking, etc. to evaluate controls, risks, and regulatory compliance.
3) Risk management processes like risk assessment, treatment, and response methodologies used in risk-based audit planning.
ControlCase Covers:
•About PCI DSS, ISO 27001, NERC, HIPAA, FISMA and EI3PA
•Components for Continuous Compliance Monitoring within IT Standards/Regulations
•Recurrence Frequency and Calendar
•Challenges in Continuous Compliance Monitoring
Vendor Management for PCI DSS, HIPAA, and FFIECControlCase
ControlCase covers the following:
•Requirements for PCI DSS, HIPAA, Business Associates, FFIEC and Banking Service Providers
•What is Vendor Management
•Why is Continual Compliance a challenge in Vendor Management
•How to mix technology and manual processes for effective Vendor Management
This webinar series is designed to help internal auditors looking to equip themselves with competencies and confidence to handle audit of IT controls and information security, and learn about the emerging technologies and their underlying risks
The series focuses on contemporary IT audit approaches relevant to Internal Auditors and the processes underlying risk based IT audits.
Session 6 of 10
This Webinar focuses on Application Security
• Application security logging and monitoring
• Issues in current logging practices
• Resources required by developers for security logging
• Correlating and alerting from log sources
• Logging in multi-tiered architectures and disparate systems
• Application security logging requirements
Protect What Matters Most: Business Critical Apps and Data : Hackers and malicious insiders steal your data by exploiting the gaps left by traditional endpoint and network security. As many companies have painfully discovered, a breach goes far beyond the loss of data. It results in financial losses, regulatory fines, and damage to a company’s reputation. The Imperva SecureSphere, Incapsula and Skyfence product lines enable organizations to discover assets and vulnerabilities, protect information wherever it lives – in the cloud and on-premises – and comply with regulations. check this out and thanks
There are big loss from data breach incidents world wide in 3 M to 7.4 M USD. All incidents caused by malicious attacks form Internet hackers for economic purpose. It's introduced the 1st best performance tools of Web Apps security scan and malicious URL detection worldwide. OWASP tools is 82% detect rate by SAST and DAST using exploit codes, So performance is 1/50 than tools shown in this presentation. APT malware are form Email Phishing and web malware links. Through the tools - Bit Scanners and PCDS provides the services in lowest cost like monthly pay to show user';s loss to half.
Organizations are increasingly looking to their Internal Auditors to provide independent assurance about cyber risks and the organization's ability to defend against cyber attacks. With information technology becoming an inherent critical success factor for every business and the emerging cyber threat landscape, every internal auditor needs to equip themselves on IT audit essentials and cyber issues.
In part 14 of our Cyber Security Series you will learn about the current cyber risks and attack methods from Richard Cascarino, including:
Where are we now and Where are we going?
Current Cyberrisks
• Data Breach and Cloud Misconfigurations
• Insecure Application User Interface (API)
• The growing impact of AI and ML
• Malware Attack
• Single factor passwords
• Insider Threat
• Shadow IT Systems
• Crime, espionage and sabotage by rogue nation-states
• IoT
• CCPA and GDPR
• Cyber attacks on utilities and public infrastructure
• Shift in attack vectors
Outpost24 Webinar - To agent or not to agent Outpost24
We will highlight the benefits and drawbacks of each approach when determining the risk of different assets and analysing vulnerabilities on your network
This document discusses strategies for assessing an organization's cybersecurity risk management program. It begins with an overview of the current state of cybersecurity, highlighting that the majority of breaches are caused by human error or outside hackers. The document then provides 10 must-ask questions to help prevent a cybersecurity breach, such as having an accurate inventory of systems and understanding how well employees can resist phishing. Finally, it outlines various methods for assessing a cybersecurity program, including a SOC for Cybersecurity examination, maturity assessment, vulnerability assessment, and penetration testing.
Banks and other financial services firms need to recognize the threats of cyber risk in a different way. Many have put in place thick walls to protect themselves. But firms cannot be protected at all times from a cyber-related incident. So putting in place structures, technologies and processes to ensure resilience—or fast recovery—is as much or more important than simply putting more locks on the doors or building stronger walls. See www.accenture.com/CyberRisk for more.
The document discusses several challenges and opportunities for SAIs regarding information technology (IT) audits. It notes that IT audits are an important component of financial audits, compliance audits, and performance audits. The document also examines challenges for SAIs in areas like developing auditing methodology for IT, introducing audit support tools, ensuring secure IT infrastructure, and carrying out performance audits related to e-government and cybersecurity programs. Two case studies are provided that demonstrate how SAIs can use data analysis and obtain data from multiple sources to identify issues in areas like social assistance benefits and passport issuance.
ControlCase provides continuous compliance services to help clients go beyond checklists and maintain year-round compliance. They monitor domains daily through quarterly like asset management and vulnerabilities. Annual reviews include policies and risk assessments. Their solution automates redundant efforts through a portal that addresses common non-compliant issues and predicts risks before audits. This reduces audit costs and improves security.
Similar to Binghamton Bank Risk Analysis.pptx (20)
3. Overview of Binghamton Bank
Infrastructure
Risk Analysis
Application
Risk Analysis
Summary
Executive
Summary
March 20, 2015 Aegis - Infrastructure Division 3
Aegis
Analysis
Overview of
Binghamton
Bank
4. April 24, 2015 Aegis 4
• Binghamton Bank Corporation is the largest bank in the Northeastern
region
• Headquarters in Boston, MA
• Specializes in commercial, retail and investment banking
• Binghamton Bank has $50 million in assets
• New CEO Conner Wayne
• “Building a Sanctuary for your Future”
• Strives to be the number one bank to safely protect ones investments and
interests
Background of Binghamton Bank
5. April 24, 2015 Aegis 5
• Requests to enhance their applications and infrastructure to create a
company that better serves the customer
• Software upgrade issues
• Stopped payments for 2 hours
• Large monetary loss
• Web application issue
• Customers could not access their accounts
• Log-in troubles
• Reliability and reputation issues
Binghamton Bank Issues
7. Executive Summary
April 24, 2015 Aegis 7
1. Online Banking
Security
2. FIN 3. BODPS 4. ATM Disaster
Prevention
Risks •High traffic
•Unsecure networks
•Low authorization
•Allows remote
access
•Backup system
•Test contingency
plan
•Windows 2000
•Test employees
•No authorization
•Employee
training
•Confidential
information
•Breaches
•7 critical vendors
•Backup
generator
•Vendor
transitions
•Unreliable
vendors
Applicable to
Bank
•Reputation
•Vulnerable
information
•Database breach
•Pivotal
Operations
•Recovery time
•Prevent
breaches
•Easy to hack
database
•GLBA violation
•Critical functions
•National news
•Loss of
operations
•Recovery time
Recommenda-
tions
•2 factor
authentication
•Monitoring
•Safeguards
•Encryption
•Test contingency
plan annually
•Update severs
•Cold Sites
•Monthly fake
scams
•High
authentication
•Compliance
•Training
workshops
•Backup
generator
•Transition
vendor
•Review vendors
annually
8. April 24, 2015 Aegis 8
ATM Vendor Dependency
Risks:
Reliant on external vendors
for ATM operations
Lacking emergency protocol
Outcomes:
Vendor reliability awareness
Less failtime
Executive Summary - Write here
Online Banking Remote
Security
Risks:
Compromised information
and reputation due to weak
security
Outcomes:
Prevention information
disclosure
DR/Server Security
Risks:
No data encryption
Lack of backup plan tests Out
of date servers
Outcomes:
Reputation in safe customer
information
Smoother emergency
procedureBODPS
Risks:
•High traffic
•Unsecure networks
•Remote Access
Recommendations
NorthGO
Risks:
•High traffic
•Unsecure networks
•Remote Access
Recommendations
FIN
Risks:
•High traffic
•Unsecure networks
•Remote Access
Recommendations
Application down, infrastructure up (ill fix format)
9. Executive Summary
April 24, 2015 Aegis 9
1. Online Banking
Security
Risks:
•High traffic
•Unsecure networks
•Remote Access
Applicable to bank:
•Reputation
•Vulnerable critical
information
•Database breach
Recommendations:
•Two factor
authentication
•Monitoring
•Remote access
safeguards
•Encryption
2. FIN
Risks:
•Backup System
•Contingency plan
tests
•Windows 2000
•Test employees
Applicable to bank:
•Pivotal operations
•Recovery time
•Prevent breaches
Recommendations:
•Test contingency
plan annually
•Update servers
•Cold sites
•Monthly employee
scam tests
3. BODPS
Risks:
•No authorization
•Employee training
•Confidential
information
•Breaches
Applicable to bank:
•Easy to hack
database
•GLBA violation
•Critical functions
Recommendations:
•High authentication
•Compliance
•Training workshops
for employees
4. ATM Disaster
Prevention
Risks:
•7 critical vendors
•No backup
generator
•Vendor transitions
•Unreliable vendors
Applicable to bank:
•National news
•Loss of operations
•Recovery time
•Financial loss
Recommendations:
•Backup generator
•Transition vendor
•Review vendors
annually
11. April 24, 2015 Aegis 11
• Tool
Designed a custom tool that takes user answers and calculates inherent
risk, control strength and residual risk
• Criteria
• Operational
Risks associated with functions inside of the company and risks
that affect the internal day-to-day activates
• Financial
Risks associated with business transactions including both financial
dealings and non-monetary trading or sharing
• Technological
Risks resulting from failures or errors by IT devices or systems put
in place by the company
• External
Any associated risk due to an uncontrollable occurrence outside of
the company
Aegis Analysis
13. 1. ATM Vendor Dependency
April 24, 2015 Aegis 13
Inherent Risk Operational
● Process 2,000-5,000 transactions per hour
External
● Negative media will reach national news
● ATM’s utilize 7 or more critical vendors
Control Strength External
● ATM’s do not have backup generators
● ATM’s do not have cold sites in place
● Cannot transition to another vendor
● Bank takes no precautions to ensure vendors are reliable
ATMS Operational Financial Technological External
Inherent 53 40 78 67
Control 28 10 25 9
Residual 38 36 58 60
14. 1. ATM Vendor Dependency
April 24, 2015 Aegis 14
Recommendations
On average ATM’s process 180% more
transactions per hour than online banking
Reputational Loss
-ATM failures would be known nationally
-Dependence on processes outside of
Binghamton Bank’s Control
Vendor Reliability:
Have a transitional backup vendor for each critical vendor
Increase Awareness of Vendor Reliability:
-Perform quarterly financial reviews
-Background checks on vendors (SOC-II)
-Annual Debrief with Vendor Management
create/practice vendor contingency plan
Failure Preventions:
Implement an Automatic Transfer Switch (ATS) to reduce
fail time
15. 2. Online Banking Remote Access Security
April 24, 2015 Aegis 15
ATMS Operational Financial Technological External
Inherent 48 41 66 49
Control 30 10 24 20
Residual 34 37 50 50
Inherent Risk Technological
● Less than 25% of online banking operations can be performed with failed
servers
● More than 60% of sensitive information would be compromised in the event of a
breach to the database
● Allows remote access for online banking may lead to potential risks
Financial
● Binghamton Bank would face greater than $200,000 in fines in the event of
non-compliance with regulations
Control Strength Technological
● No multi-tier authentication in order to gain access to online banking remotely
● Weak prevention to unauthorized access to network
● No encryption of sensitive information
16. April 24, 2015 Aegis 16
2. Online Banking Remote Access
April 24, 2015 Aegis 16
Reasons why the Risk is a Priority Recommendations
Reputational Loss
● Decrease in accountability to
customers if servers were to fail
● Loss of sensitive information will result
in non-compliance with GLBA
Monetary Loss
● Each violation of GLBA can be fined up
to $100,000
Customer Safety
● Hackers could disclose or utilize
customer information
- Include SSL certificates to encrypt data for all subdomains
- Require virtual machines for employee remote access
- Enable remote wipe for company devices
- Require 2 step authentication for employee remote access
- Enable Virtual Private Network
Prevent unauthorized access to network
-Only allow pre-authorized MAC addresses
-Implement a monitoring and logging system
-Seperate networks by critical information
17. 3. DR/Servers Security
April 24, 2015 Aegis 17
Inherent Risk Technological:
● 10% - 30% critical infrastructures are not up to date
● Less than 25% can perform with failed servers
● More than 60% of sensitive information would be compromised if databases were
breached
● Allowing remote access to company systems may lead to potential risks
Financial:
● Noncompliance can result to greater than $200,000 in fines
Control Strength Technological:
● Tests contingency plan every 2-5 years
● Tests for employees for online threats every year or more
● Servers do not encrypt sensitive information
Financial:
● IT employees are not well versed with financial goals and objectives
ATMS Operational Financial Technological External
Inherent 59 43 67 44
Control 25 15 20 18
Residual 44 36 53 36
18. 3. DR/Servers Security
April 24, 2015 Aegis 18
Reasons why the Risk is a Priority Recommendations
Monetary Loss
● GLBA fines if sensitive information is
compromised
● Excess and/or unnecessary activities
are performed by the IT department
Reputational and Reliability Loss
● Weak ability to adapt to unanticipated
events
COBIT governance framework - familiarize IT employees
with business standards and goals
Secured Socket Layer (SSL) certificates establishes a link
between the server and a client
256 bit AES encryption
Test employees for phishing schemes monthly
Test contingency plan annually
Upgrade to windows 2012 R2 standard edition
-Costly
1,000 servers - $800,000
2,500 servers - $2.2 million
5,000 servers - $4.4 million
7,000 servers - $6.1 million
19. Infrastructure Summary
April 24, 2015 Aegis 19
1. ATM Vendor
Dependency
Risks:
•Reliant on many critical
vendors to operate ATM’s
•Lacking emergency plan for
failed vendor
•Alternate Power source
unavailable
Recommendations:
•Increase vendor reliability
awareness
•Implement Automatic
Transfer Switch
•Transitional Vendors
2. Online Banking Remote
Access Security
Risks:
•Weak preventions for
network access
•Sensitive information not
encrypted
•Weak authentication for
access
Recommendations:
•SSL certificates
•Virtual machines
•Remote wipe
•Prevent unauthorized
network access
3. DR/Servers Security
Risks:
•No encryption of sensitive
information
•Contingency plan not tested
frequently
•Servers not up to date
Recommendations:
•Upgrade servers to
Windows 2012 R2
•Utilize COBIT
•Enable SSL certificates
•Encrypt sensitive
information
•Test contingency plans
21. BODPS: Current State
April 24, 2015 Aegis 21
● Operational:
○ Extremely critical for business functions
○ Employees are not trained to properly use and secure this
application
○ Bank is unsure how secure online networks are for customer access
● Technology
○ Integrates with many critical applications and contains sensitive
customer data
○ No levels of authorization and no scheduling of upgrades and
maintenance
● Financial
○ No mechanism in place to inform customers that their assets are
secure
Operational Financial Technological External
Inherent 84 15 88 75
Control 38 44 20 41
Residual 52.08 15 70.4 44.25
22. BODPS: Risk & Consequences
April 24, 2015 Aegis 22
Overall Application Risk: Poor Security. This can lead to a loss of sensitive client data.
Additionally, BODPS is responsible for sending data to iReport to create financial
documents. Poor security can lead to altering of this data and publishing financial
statements that are not accurate. (This can lead to a violation of SOX)
● Risk: No authorization levels
● Consequence: Anyone can access this data. Nothing that authorizes the user as being
a trustworthy person to access the information
● Risk: Employees are not properly trained
● Consequence: Employees can divulge information and leave workstations logged in.
Not knowing security measures can lead to them sharing confidential information
● Risk: No mechanism in place to inform customers that their data is secure
● Consequence: Customers will not know if they data has been compromised or shared
● Risk: Poor security can lead to altering of this data and publishing financial
statements that are not accurate and poor security can lead to a leak of customer
data
● Consequence: Lead to a violation of SOX and GLBA
23. BODPS: Recommendations
April 24, 2015 Aegis 23
● Implement two level authorization for employees with the implementation of
security tokens as an initial step to address poor security. Employees have to
enter one password that they create, followed by a security token that
constantly changes the password
● Implement training courses so employees are aware of how to properly and
legally use application. Employees should be aware of social engineering threats
and not divulge information while also logging off after use
● Company should properly allocate their resources and funds to spend on training
programs and frequent updates that are capable of providing the most up to
date security measures
24. NorthGo: Current State
April 24, 2015 Aegis 24
Operational Financial Technological External
Inherent 84 42 56 15
Control 56 11 20 40
Residual 37 37 45 15
• Operational:
• Backup systems exist but do not demonstrate full functionality
• Internal monitoring system needs to be updated
• Online networks that customers use are not secure
• Technology
• No authorization levels for application that stores sensitive client
information
• Rarely upgraded to be able to operate under heavy user traffic
• No alternative operation methods if integrated application fails
• Financial
• Investing in online application is crucial to maintaining and
expanding customer base
• No funds allocated towards application recovery
25. NorthGo: Risk & Consequences
April 24, 2015 Aegis 25
Overall Application Risk: Application Overload. This application experiences heavy
traffic from both employees and customers, and with nothing in place to mitigate
overload, NorthGo is prone to overloading and failing. Failure of NorthGo can make
it prone to security threats and lead loss of customer confidence
● Risk: No system in place to mitigate application overload
● Consequence: Failure of system due to increased traffic can lead to another
NorthGo crash which will lead to monetary loss and loss of customer faith.
Having system down still leaves it open to security threats where customers
information can be stolen or compromises. This consequence also leads to a
GLBA violation
● Risk: NorthGo does not have a system backup
● Consequence: If another NorthGo crash occurs, Binghamton Bank will earn the
reputation of providing poor applications. Customers will not have confidence
and there will be a loss of clientele
26. NorthGo: Recommendations
April 24, 2015 Aegis 26
● Put a system in place to mitigate application overload
● Allocate more funds to application upgrades, maintenance and failure recovery
● Implement internal monitoring system to gauge traffic and alert employees if
system is close to overloading
● Increase traffic capacity
● Two factor authorization for employees and customers
○ Smart tokens and password for employees
○ Password and automatic sending of email with temporary access code
● Password and txt update to customers on current state of their data
27. FIN: Current State
April 24, 2015 Aegis 27
● Operational:
○ Binghamton Bank does not have a fully functioning backup system in
place
○ Unsure if this application’s functions can be completed manually if it
were to fail
○ Unsure if the bank has an internal monitoring system to alert
employees of an application failure
○ There are no compliance checks to make sure that new standards and
regulations are being met
○ Binghamton Bank runs into noncompliance issues >20 times
● External:
○ System audits are only conducted yearly
○ Vendors never provide system upgrades
Operational Financial Technological External
Inherent 100 100 100 15
Control 69 87 89 9
Residual 31 13 11 14
28. FIN: Risk & Consequences
April 24, 2015 Aegis 28
Overall Application Risk: FIN Failure. FIN is the central financial application of
Binghamton Bank and it integrates and monitors all financial transactions in one
location. Not having a fully functioning backup system for an application whose
functions can not be completed manually is a risk
• Risk: No proper backup system in place to mitigate application failure
• Consequence: Application’s functions cannot be completed and crucial bank
functions will be halted. FIN failure is a security threat because a system crash
can open it up to hacking threats
• Risk: Cannot be completed manually if the application were to fail
• Consequence: Operations cannot continue to run effectively because the bank
would have to record all transactions on paper slowing down operations to a
point where everything is backlogged
• Risk: Short recovery time objective
• Consequence: Bank will lose money quickly if application’s functions are not
restored in
29. FIN: Recommendations
April 24, 2015 Aegis 29
● Implement a more robust data backup and backup security measures in
case of application failure while nvesting in a more fully functional
system that can take over and perform FINs functions if there is an
emergency
•Set up a failure recovery plan to help takeover for FIN
•Internal monitoring system to tell when FIN is going to fail
•Train employees to properly use FIN’s backup systems
30. Application Summary
April 24, 2015 Aegis 30
Application Name Current State of
Application
Risk to Binghamton
Bank
Recommendation
BODPS Has poor security
strength and poorly
trained employees to
use application securely
Employees can divulge
client information and
information can be
accessed and altered
easily, leading to
violations
Implement security
tokens and implement
application and
regulation training
program for employees
NorthGo Current backup system is
not functioning at full
capacity.
No Authorization levels
System overload.
Cannot function
efficiently and properly.
Implement internal
monitoring system.
Reallocation of funds.
FIN Does not have a fully
functioning backup
system.
Unsure if application’s
functions can be
completed manually.
FIN failure.
No proper backup
system in place.
Cannot be completed
manually.
Short recovery time
objective.
Implement a more robust
backup system.
Set up a failure recovery
plan.
Internal monitoring
system to tell when FIN
is going to fail.
32. Overall Summary
April 24, 2015 Aegis 32
• We want to explain what controls the bank has currently in place that are
good
• What controls Binghamton Bank is missing
• Our recommendations by priority